CiteSeerX — Secure Outsourced Attribute-based Encryption

(1)

Secure Outsourced Attribute-based Encryption

Jin Li, Jingwei Li, Xiaofeng Chen, Chunfu Jia and Duncan S. Wong

Abstract—Attribute-Based Encryption (ABE) is a promis- ing cryptographic primitive which significantly enhances the versatility of access control mechanisms. Due to the high expressiveness of ABE policies, the computational complexities of ABE key-issuing (by Attribute Authorities (AAs)) and decryption (by eligible users) are getting prohibitively high.

Despite that the existing Outsourced ABE solutions are able to offload some intensive computing tasks to a third party, for example, a cloud, so to relieve the local burden of eligible users during decryption, the high computational complexity of the key-issuing at the AAs has yet to be addressed, while an ABE system will continue to grow with more users being included, and with the user revocation being considered in practice which will trigger more key (re-)issuing.

Aiming at tackling the challenges above, for the first time, we propose a Secure Outsourced ABE system, which not only supports secure outsourced decryption, but also provides secure outsourced key-issuing. Unlike the current outsourced ABE systems, our new method offloads all access policy and attribute related operations in the key-issuing process or decryption to a Key Generation Service Provider (KGSP) and a Decryption Service Provider (DSP), respectively, leaving only a constant number of simple operations for the AAs and eligible users to perform locally. Furthermore, we show that both outsourcing processes (to KGSP and to DSP) are secure, namely, the KGSP and the DSP would not be able to recover the keys or decrypt the ciphertexts, respectively.

In addition, we consider the scenario that a KGSP or DSP may be dishonest and could maliciously generate some incorrect returning values rather than following the outsourced operations. Therefore, in this paper, we also propose another ABE construction which allows the AAs and eligible users to check the correctness of outsourced operations in an efficient way. The security of the construction is analyzed under a recently formalized model called Refereed Delegation of Computation (RDoC).

Index Terms—Attribute-based encryption, access control, outsourcing computation, cloud computing, checkability

I. INTRODUCTION

As a novel public key primitive, Attribute-Based En- cryption (ABE) [1] has attracted much attention in the research community. In ABE system, users’ private keys and ciphertexts are labeled with sets of descriptive attributes

Jin Li is with the School of Computer Science, Guangzhou University, China, e-mail: lijin@gzhu.edu.cn.

Jingwei Li and Chunfu Jia are with the College of Information Techni- cal Science, Nankai University, China, e-mail: lijw@mail.nankai.edu.cn, cfjia@nankai.edu.cn.

Xiaofeng Chen is with the State Key Laboratory of Integrated Service Networks (ISN), Xidian University, Xi’an, China, e-mail:

xfchen@xidian.edu.cn.

Duncan S. Wong is with the Department of Computer Science, City University of Hong Kong, China, e-mail: duncan@cityu.edu.hk.

and access policies respectively, and a particular key can decrypt a particular ciphertext only if associated attributes and policy are matched. Until now, there are two kinds of ABE having been proposed: Key-Policy Attribute-Based En- cryption (KP-ABE) and Ciphertext-Policy Attribute-Based Encryption (CP-ABE). In KP-ABE, the access policy is assigned in private key, whereas, in CP-ABE, it is specified in ciphertext.

Recently, as the development of cloud computing, users’

concerns about data security are the main obstacles that impedes cloud computing from widely adopted. These concerns are originated from the fact that sensitive data resides in public cloud, which is maintained and operated by untrusted Cloud Service Provider (CSP). ABE provides a secure way that allows data owner to share outsourced data on untrusted storage server instead of trusted server with specified group of users. This advantage makes the methodology appealing in cloud storage that requires secure access control for a large number of users belonging to different organizations.

Nevertheless, one of the main efficiency drawbacks of ABE is that the computational cost during decryption phase grows with the complexity of the access formula. Thus, before widely deployed, there is an increasing need to improve the efficiency of ABE. To address this problem, outsourced ABE, which provides a way to outsource intensive computing task during decryption to CSP without revealing data or private keys, was introduced [2][3]. It has a wide range of applications. For example, in the mobile cloud computing consisting of mobile devices or sensors as information collection nodes, user terminal (e.g. mobile device) has limited computation ability to independently finish basic encryption or decryption to protect sensitive data residing in public cloud. Outsourced ABE allows user to perform heavy decryption through “borrowing”

the computation resources from CSP. Therefore, with this paradigm, the computation/storage intensive tasks can be performed even by resource-constrained users.

Beyond the heavy decryption outsourced, we observe that the attribute authority has to deal with a lot of heavy computation in a scalable system. More precisely, the attribute authority has to issue private keys to all users, but yet generation of private key typically requires large modular exponentiation computation, which grows linearly with the complexity of the predicate formula. When a large number of users call for their private keys, it may overload attribute authority. Moreover, key management mechanism key revocation in particular, is necessary in a secure and scalable ABE system. In most of existing ABE schemes, the revocation of any single private key requires key-update at attribute authority for the remaining unrevoked keys which

(2)

share common attributes with the one to be revoked. All of these heavy tasks centralized at authority side would make it become the efficiency bottleneck in the access control system.

A. Contribution

Aiming at eliminating the most overhead computation at both attribute authority and user sides, we propose an outsourced ABE scheme not only supporting outsourced decryption but also enabling delegating key generation. In this construction, we introduce a trival policy controlled by a default attribute and use an AND gate connecting the trival policy and user’s policy. During key-issuing, attribute authority can outsource computation through delegating the task of generating partial private key for user’s policy to a Key Generation Service Provider (KGSP) to reduce local overhead. Moreover, the outsourced decryption is realized by utilizing the idea of key blinding. More precisely, user can send the blinded private key to a Decryption Service Provider (DSP) to perform partial decryption and do the complete decryption at local. Following our technique, constant efficiency is achieved at both attribute authority and user sides.

In addition, we observe that when experiencing commercial cloud computing services, the CSPs may be selfish in order to save its computation or bandwidth, which may cause results returned incorrectly. In order to deal with this problem, we consider to realize checkability on results returned from both KGSP and DSP, and provide a security and functionality enhanced construction, which is provable secure under the recent formulized Refereed Delegation of Computation (RDoC) model. Out technique is to make a secret sharing on the outsourcing key for KGSP and let k parallel KGSPs utilize their individual share to generate partial private keys. After that an additional key combination phase is performed at authority side to avoid malicious collaboration between at most k − 1 KGSPs and users. Moreover, we use the idea of “ringer” [4] and appending redundancy to fight against the dishonest actions of KGSPs and DSP. As far as we know, this is the first time considering the checkability of outsourced ABE.

B. Related Work

The notion of ABE, which was introduced as fuzzy identity-based encryption in [1], was firstly dealt with by Goyal et al. [5]. Two different and complementary notions of ABE were defined in [5]: KP-ABE and CP-ABE. A construction of KP-ABE was provided in the same paper [5], while the first CP-APE construction supporting tree- based structure in generic group model is presented by Bethencourt et al. [6]. Accordingly, several constructions supporting for any kinds of access structures were provided [7][8][9]. Concerning revocation of ABE, a delegatable revocation is proposed in [10] to achieve scalable and fine- grained access control.

To reduce the load at local, it always desires to deliver expensive computational tasks outside. Actually, the problem that how to securely outsource different kinds of expensive computations has drew considerable attention from theoretical computer science community. Atallah et al. [11]

presented a framework for secure outsourcing of scientific computations such as matrix multiplication and quadrature.

Nevertheless, the solution used the disguise technique and thus leaded to leakage of private information. Atallah and Li [12] investigated the problem of computing the edit distance between two sequences and presented an efficient protocol to securely outsource sequence comparison with two servers. Furthermore, Benjamin and Atallah [13]

addressed the problem of secure outsourcing for widely applicable linear algebraic computations. Nevertheless, the proposed protocols required the expensive operations of homomorphic encryption. Atallah and Frikken [14] further studied this problem and gave improved protocols based on the so-called weak secret hiding assumption. Recently, Wang et al. [15] presented efficient mechanisms for secure outsourcing of linear programming computation.

We note that though several schemes have been introduced to securely outsource kinds of expensive computations, they are not suitable for reliving ABE computational overhead of exponentiation at user side. To achieve this goal, the traditional approach is to utilize server-aided techniques [16][17][18]. However, previous work are oriented to accelerating the speed of exponentiation using untrusted servers. Directly utilizing these techniques in ABE will not work efficiently. Another approach might be to leverage recent general outsourcing technique or delegating computation [19][20][21][22][23] based on fully homomorphic encryption or interactive proof system. However, Gentry [23] has shown that even for weak security parameters on

“bootstrapping” operation of the homomorphic encryption, it would take at least 30 seconds on a high performance ma- chine. Therefore, even if the privacy of the input and output can be preserved by utilizing these general techniques, the computational overhead is still huge and impractical.

Another two related work similar to us are [3] and [2].

In [2], a novel paradigm for outsourcing the decryption of ABE is provided while in [3] the authors presented the Privacy Preserving CP-ABE (PP-CP-ABE) scheme which allows to securely outsource both decryption and encryption to third party service providers. Compared with our work, the two lack of the consideration on the eliminating the overhead computation at attribute authority. Additionally, we consider a security and functionality enhanced construction enalbing checkability on returned results from CSPs.

C. Organization

This paper is organized as follows. In Section II we describe some preliminaries. In Section III, we present the system model and security definition. The proposed construction and its security and efficiency analysis are presented in Section IV. In Section V, we consider a both security and functionality enhanced construction under RDoC model. Finally, we draw conclusion in Section VI.

(3)

Acronym Description AA attribute authority

KGSP key generation service provider DSP decryption service provider SSP storage service provider

TABLE I

NOTATIONSUSED INTHISPAPER

Fig. 1. System Model for Outsourced ABE Scheme

II. PRELIMINARY

In this section, we define the notations used in this paper and review some cryptographic background.

A. Notations

The notations used in this paper are listed in TABLE I.

B. Cryptographic Background

In this paper, we use the bilinear pairings on elliptic curves. We now give a brief review on the property of pairing and the candidate hard problem that will be used.

Definition 1 (Bilinear Map): Let G, GT be cyclic groups of prime order q, writing the group action multiplicatively. g is a generator ofG. Let e : G×G → GT

be a map with the following properties:

• Bilinearity: e(g₁^a, g^b₂) = e(g1, g2)^ab for all g1, g2∈ G, and a, b∈RZq;

• Non-degeneracy: There exists g1, g2 ∈ G such that e(g1, g2)̸= 1, in other words, the map does not send all pairs inG × G to the identity in GT;

• Computability: There is an efficient algorithm to com- pute e(g1, g₂) for all g1, g₂∈ G.

Definition 2 (DBDH Problem): The Decision Bilinear Diffie-Hellman (DBDH) problem is that, given g, g^x, g^y, g^z∈ G for unknown values x, y, z ∈RZq, and T ∈RGT, to decide if T = e(g, g)^xyz.

We say that the (t, ϵ)-DBDH assumption holds in G if no t-time algorithm has probability at least ¹₂+ ϵ in solving the DBDH problem for non-negligible ϵ.

III. SYSTEMMODEL ANDSECURITYDEFINITION

A. System Model

We present the system model for outsourced ABE scheme in Fig. 1. Compared with the model for typical ABE, a KGSP and a DSP are additionally involved.

• KGSP is to perform aided key-issuing computation to relieve AA load in a scale system when a large number of users make requests on private key generation and key-update.

• DSP is to finish delegated expensive operations to overcome the disadvantage that the decryption phase in typical ABE requires a large number of overload operations at U.

Following the custom in [2], we denote (Ienc, Ikey) as the input to encryption and key generation. In CP-ABE scheme, (Ienc, Ikey) = (A, ω) while that is (ω, A) in KP- ABE, where ω andA are attribute set and access structure, respectively. Then, based on the proposed system model, we provide algorithm definitions as follows.

• Setup(λ) : The setup algorithm takes as input – a security parameter λ. It outputs a public key P K and a master key M K.

• KeyGen_init(I_key, M K) : For each user’s private key request, the initialization algorithm for delegated key generation takes as input – an access policy (or at- tribute set) Ikey and the master key M K. It outputs the key pair (OKKGSP, OKAA).

• KeyGen_out(Ikey, OKKGSP) : The delegated key generation algorithm takes as input – the access structure (or attribute set) Ikeyand the key OKKGSPfor KGSP.

It outputs a partial transformation key T KKGSP.

• KeyGen_in(Ikey, OKAA) : The inside key generation algorithm takes as input – the access structure (or attribute set) Ikey and the key OKAA for attribute authority. It outputs another partial transformation key T K_AA.

• KeyBlind(T K) : The transformation key blinding algorithm takes as input – the transformation key T K = (T K_KGSP, T K_AA). It outputs a private key SK and a blinded transformation key gT K.

• Encrypt(M, Ienc) : The encryption algorithm takes as input – a message M and an attribute set (or access structure) Ienc to be encrypted with. It outputs the ciphertext CT .

• Decrypt_out(CT, gT K) : The delegated decryption al- gorithm takes as input – a ciphertext CT which was assumed to be encrypted under the attribute set (or access structure) Ienc and the blinded transformation key gT K for access structure (or attribute set) Ikey. It outputs the partially decrypted ciphertext CTpart if γ(I_key, I_enc) = 1, otherwise outputs ⊥, where γ(·, ·) is a predicate predefined.

• Decrypt(CT_part, SK) : The decryption algorithm takes as input – the partially decrypted ciphertext CT_partand the private key SK. It outputs the original message M .

B. Security Definition

In this work, we assume that all the entities except AA are “honest-but-curious”. More precisely, they will follow our proposed protocol but try to find out as much private information as possible based on their possessions. The

(4)

Fig. 2. Adversary Model for Outsourced ABE Scheme

adversary model described in Fig. 2 is considered. More precisely, since KGSP and U respectively owns the knowl- edge of OKKGSPfor KGSP and user’s private key, they are considered as active attackers which are allowed to collude with DSP and SSP to launch harmful attack separately.

Following this consideration, two types of adversaries are categorized.

• Type-I adversary defined as a group of curious users colluding with SSP and DSP, is able to potentially access private keys for all the corrupted users, all the ciphertext stored at SSP, all the blinded transformation keys stored at DSP, etc, and aims to decrypt ciphertext intended for users not in the group.

• Type-II adversary defined as KGSP colluding with SSP and DSP, is able to potentially access all the keys for KGSP, all the ciphertexts stored at SSP, all the blinded transformation keys stored at DSP, etc, and aims to decrypt any ciphertext.

Having this intuition, we follow the Replayable Chosen Ciphertext Attack (RCCA) security in [24][2] to define RCCA security for our setting in Fig. 3. We point out that the security game for type-I adversary is similar to that in [2] which shares the same delegated decryption paradigm with ours.

DenoteAi as type-i adversary for i = I, II. Their advan- tages in attacking the outsourced ABE scheme E is mea- sured by the probability Adv^RCCA_E,A

i (λ) =Pr[b_i = b^′_i]−¹₂ respectively.

Definition 3 (RCCA Security): An outsourced CP-ABE or KP-ABE scheme with delegated key generation and decryption is secure against replayable chosen-ciphertext attack if all polynomial time adversaries have at most a negligible advantage in the RCCA security game for both type-I and type-II adversaries.

Finally, beyond the RCCA security, we also specify that, i) An ABE scheme with delegated key generation and decryption is CPA-secure (or secure against chosen- plaintext attack) if no polynomial time adversary has non- negiligible advantage in modified games for type-I and type-II adversaries respectively, in which theOM(·) in both phase 1 and phase 2 is removed; ii) An ABE scheme with delegated key generation and decryption is secure in selective model if no polynomial time adversary has non-negiligible advantage in modified games for type-I and type-II adversaries respectively, in which the I_enc^∗ submission is advanced to an additional init stage before setup.

IV. PROPOSEDCONSTRUCTION

A. Access Structure

Definition 4 (Access Structure): Let {P1, . . . , P_n} be a set of parties. A collectionA ⊆ 2^{P¹^,P²^,...,Pⁿ^} is monotone if ∀B, C : if B ∈ A and B ⊆ C then C ∈ A.

An access structure (or monotone access structure) is a collection (or monotone collection)A of non-empty subsets of {P1, P2, . . . , Pn}. The sets in A are called authorized sets.

Furthermore, we could define the predicate γ(·, ·) as follows.

γ(ω,A) = {

1 if ω∈ A

0 otherwise (1)

In this paper, the role of the party is taken by the attributes. Thus, the access structure A will contain the authorized sets of attributes. Specifically, our construction supports for access structure described as A = {ω ⊆ U :

|ω ∩ ω^∗| ≥ d} where U is the attribute universe, ω and ω^∗ are attribute sets and d is a predefined threshold value.

For simplicity, we will take user’s attribute set to input to key generation instead of his access structure which is different from our definition in section III.A. We note that such substitution is trival since user is easy to compute his access structure with the individual attribute set. Further- more, we deliver the decision for access control to γ(·, ·) and redefine such predicate as follows.

γd(ω, ω^∗) = {

1 if|ω ∩ ω^∗| ≥ d

0 otherwise (2)

B. Intuition for Proposed Construction

The challenge for constructing outsourced ABE scheme is the realization of delegated key generation and decryption.

• To outsource private key generation, we utilize a hybrid key policy Policy = Policy_KGSP∧ PolicyAA in proposed construction, where∧ is an AND gate connecting two sub-policies Policy_KGSP and Policy_AA. Policy_KGSP is for the request attribute set which will be performed at KGSP while Policy_AA is a trival policy controlled by AA. The reason that we say it is trival is that a single default attribute θ is appended with each request attribute set, which has no effect on the global access control policy. Using this trick, we are allowed to randomly generate an outsourcing key (which is OKKGSP in our construction) to delegate partial key generation operation to KGSP without master or private key leakage.

• To outsource decryption, we make use of the idea in [3] by choosing a random “blinding factor” (which is t in our construction) to produce blinded transformation key which is able to be sent to DSP to perform decryption partially instead of private key itself. This skill allows us to delegate partial decryption operation to DSP without private key or original message leakage.

(5)

RCCA Security Game for Type-I Adversary

Setup. Challenger runs Setup(λ) and gives P K to adversary.

Phase 1. Challenger initializes an integer j = 0, an empty table T and an empty set D to provide adversary with the oracles below.

• O_{T K}_g(Ikey): The challenger sets j = j + 1 and runs key generation (including key blinding) completely for Ikeyto obtain SK, T K, OKKGSP and gT K. After storing the entry (j, Ikey, SK, OKKGSP) in T , return gT K.

• OSK(i): The challenger checks whether the entry (i, Ikey, SK,·) exists in T . If so, set D = D ∪ {Ikey} and return SK, otherwise return⊥.

• OM(i, CT ): Suppose the ciphertext CT is encrypted under Ienc. The challenger checks whether (i, Ikey, SK,·) exists in T and γ(Ikey, Ienc) = 1. If so, perform decryption completely on CT and return original message M ; otherwise return⊥.

Challenge. Adversary submits two messages M0 and M1 as well as I_enc^∗ satisfying γ(Ikey, I_enc^∗ ) ̸= 1 for all I_key∈ D. Challenger picks bI ∈R{0, 1}, encrypts MbI under I_enc^∗ and returns the resulting ciphertext CT^∗. Phase 2. Phase 1 is repeated with the restrictions: i) Adversary cannot issue query OSK(i) resulting in a value Ikey with γ(Ikey, I_enc^∗ ) = 1. ii) Adversary cannot issue queryOM(·) resulting M0 or M1.

Guess. Adversary outputs a guess b^′_I of b_I. RCCA Security Game for Type-II Adversary

Setup. Challenger runs Setup(λ) and gives P K to adversary.

Phase 1. Challenger initializes an integer j = 0, an empty table T and an empty set D to provide adversary the oracles below.

• O_{T K}_g(Ikey): It is identical to O_{T K}_g(Ikey) for type-I adversary.

• OOK_KGSP(i): The challenger checks whether the entry (i, Ikey, SK, OKKGSP) exists in T . If so return (OKKGSP, T K), otherwise return⊥.

• OM(i, CT ): It is identical toOM(i, CT ) for type-I adversary.

Challenge.Adversary submits two messages M0and M1as well as I_enc^∗ . Challenger picks bII∈R{0, 1}, encrypts M_b_II under I_enc^∗ and returns the resulting ciphertext CT^∗.

Phase 2.Phase 1 is repeated with the restriction that adversary cannot issue query toOM(·) resulting M0or M1. Guess. Adversary outputs a guess b^′_II of b_II.

Fig. 3. Security Games for Type-I and Type-II Adversaries

C. Construction

Before providing our construction, we define the La- grange coefficient ∆_i,S for i∈ Zq and a set S of elements inZq: ∆_i,S =∏

j∈S,j̸=ix−j

i−j. Our scheme is based on ABE in [1] which shares the same access formula. The message space for our construction is GT. Actually, using a map- to-point function, we can extend it to support for message space consisting of {0, 1}^∗. The construction in detail is shown as follows.

• Setup(λ) : First, define the attributes in universeU as elements inZq. For simplicity, let n =|U| and we can take the first n elements inZq (i.e. 1, 2, . . . , n mod q) to be the universe. Next, select a generator g ∈R G and an integer x∈RZq, and set g1= g^x. Then, pick elements g2, h, h1, . . . , hn ∈R G. Finally, output the public key P K = (g, g1, g2, h, h1, . . . , hn) and the master key M K = x.

• KeyGen_init(ω, M K) : For each user’s private key request on ω, select x1 ∈R Zq and set x2 = x− x1 mod q. Finally output OKKGSP = x1 as the outsourcing key for KGSP and OKAA = x2 for attribute authority itself.

• KeyGen_out(ω, OK_KGSP) : Randomly select a d− 1

degree polynomial q(·) such that q(0) = x1. Then, for each i ∈ ω, choose ri ∈R Zq, and compute di0 = g^q(i)₂ · (g1hi)^rⁱ and di1 = g^rⁱ. Finally, output T K_KGSP= ({di0, d_i1}i∈ω).

• KeyGen_in(ω, OK_AA) : Select rθ ∈RZq and compute d_θ0 = g^x₂² · (g1h)^r^θ and d_θ1 = g^r^θ. Finally, output T K_AA= (d_θ0, d_θ1).

• KeyBlind(T K = (T K_KGSP, T K_AA)) : Select t ∈R

Zq, and compute gT K = ({d^ti0, d^t_i1}i∈ω∪{θ}). Finally, output SK = (t, T K) and gT K.

• Encrypt(M, ω^′) : Firstly, select a random number s ∈R Zq. Then, compute C0 = M · e(g1, g2)^s, C1 = g^s, Eθ = (g1h)^s and Ei = (g1hi)^s for i ∈ ω^′. Finally, publish the ciphertext as CT = (ω^′∪ {θ}, C0, C1,{Ei}i∈ω^′∪{θ}).

• Decrypt_out(CT, gT K) : Suppose that a ciphertext CT is encrypted under an attribute set ω^′ and we have a blinded transformation key gT K for attribute set ω, which satisfies the restriction that γ_d(ω, ω^′) = 1. Then, outsourced decryption proceeds as follows. Firstly, an arbitrary d-element subset set S⊆ ω ∩ ω^′ is selected.

Then, the partially decrypted ciphertext is computed as follows.

(6)

CT_part = e(C1, d^t_θ0)∏

i∈Se(C1, d^t_i0)^∆^i,S⁽⁰⁾ e(d^t_θ1, Eθ)∏

i∈Se(d^t_i1, Ei)^∆^i,S⁽⁰⁾

= e(g, g2)^stx²e(g, g2)^st^∑^i∈S^q(i)∆^i,S⁽⁰⁾

= e(g, g2)^stx²e(g, g2)^stx¹

= e(g1, g2)^st (3)

• Decrypt(CTpart, SK) : Completely decrypt the ciphertext as follows.

C0

(CT_part)¹^t = M· e(g1, g2)^s [e(g₁, g₂)^st]¹^t

= M· e(g1, g₂)^s

e(g1, g2)^s = M (4)

D. Efficiency Analysis

We compare our scheme with the original ABE [1]

and the state-of-the-art [2][3] in TABLE II. We use EXP to denote a multi-based exponentiation operation in G and P the pairing operation. We assume one multi-based exponentiation multiplies up to 2 single-based exponentiations and takes roughly the same time as single-based exponentiations. ω and d denotes the attribute set and threshold value respectively.

To the best of our knowledge, the outsourced key generation in ABE has not been considered before and our scheme is the first construction achieving this property.

Following our terminology, the number of exponentiations in the group G for AA is reduced to two, while in other ABE schemes [1][2][3], it is linear with the number of attributes in the request set (i.e. 2|ω|). Actually in our construction, the exponentiation computation is delivered to KGSP and requester. More precisely, after obtaining the transformation key from AA, the requester must spend

|ω| + 1 exponentiations on generating private key and blinded transformation key. We think it is reasonable that AA delivers some computations back to users because such modification would reduce AA load and make it respond to a large number of users’ requests in time.

In decryption, a trick similar to [2][3] is used in our scheme and the three schemes achieve the identical efficiency: all the pairing operations are delivered to DSP and the computational cost of decryption for user is constant, only one exponentiation operation. Whereas the original ABE scheme [1] requires 2d pairing as well as 2d expo- nentiation operations for a single decryption, where d is the threshold value.

Concerning on the communication complexity in our scheme, user has to send a private key request to AA and receive 2|ω| + 2 elements in G. Furthermore, he is able to send blinded transformation key (as well as 2|ω| + 2 elements in G) to DSP to perform partially decryption in future. In general, an element in G is set to be 160-bit long for 2⁸⁰security. The data transferred among the cloud service providers, AA and user is tens of KBs at most, which can be processed efficiently.

E. Security Analysis

Theorem 1: The outsourced ABE scheme is indistin- guishable secure against chosen-plaintext attack in selective model under DBDH assumption.

Proof: For the purpose of proving the security of our scheme, we should show that it is secure againt both type-I and type-II adversaries. It is noted that the main difference between type-I and type-II adversary is the oracles provided. Specifically, type-I adversary is provided withOSK(·) while challenger gives OOK_KGSP(·) to type- II adversary. Thus, we will utilize a bit b to denote this difference (i.e., if b = 0, adversary is provided with OSK(·); and otherwise with OOKKGSP(·)) and attempt to provide a single simulation against both of type-I and type- II adversaries.

Assume that an adversaryA has advantage ϵ in attacking the proposed outsourced ABE scheme in the sense of CPA security for selective model, we will build a simulator S that usesA as a sub-algorithm to solve the DBDH problem with a non-negligible probability. Therefore, in this analysis our main task is to provide a correct simulation of the real game between a challenger and an adversaryA.

Suppose the challenger flips a fair binary coin µ outside ofSI’s view. If µ = 0, SI is given (X = g^x, Y = g^y, Z = g^z, T = e(g, g)^xyz); otherwise, (X = g^x, Y = g^y, Z = g^z, T = e(g, g)^v) for random x, y, z, v ∈ Zq. SI is asked to output a value µ^′ as the guess for µ. We provide the simulation as follows.

Init. The simulator S runs A and receives the challenge attribute set ω^∗.

Setup. Simulator S assigns the public key as follows. It sets g1 = X, g2 = Y and h = g₁⁻¹g^−α where α ∈R Zq. For i∈ ω^∗, it randomly selects αi ∈R Zq and sets hi = g⁻¹₁ g^αⁱ. For i /∈ ω^∗, it randomly selects αi ∈R Zq and sets hi = g^αⁱ. Finally, S sends the public key P K = (g, g1, g2, h, h1, . . . , hn) to A where n is the number of attributes in universe.

Phase 1.S initializes an integer j = 0 and an empty table T to provideA several oracles as follows.

• O_{T K}_g(ω):S sets j = j + 1 and answers A’s query in one of the following ways.

– If b = 0, A is a type-I adversary. In this case, S selects x2 ∈R Zq and attempts to simulate T KKGSP = ({di0, di1}i∈ω) as follows. Define three sets Γ, Γ^′and S with Γ = ω∩ω^∗,|Γ^′| = d−

1, Γ⊆ Γ^′ ⊆ ω and S = Γ^′∪ {0}. Then, for each i ∈ Γ^′, compute (di0, di1) = (g₂^τⁱ(g1hi)^rⁱ, g^rⁱ) where τi, ri∈RZq. For each attribute i∈ ω − Γ^′, the simulator set ri=−y∆0,S(i)+r_i^′and obtains di0 = g

∑

j∈Γ′∆_j,S(i)τ_j−(x2+α_i)∆_0,S(i)

2 (g1hi)^r^′ⁱ

and di1 = g₂^−∆^0,S⁽ⁱ⁾g^r^′ⁱ), where r^′_i ∈R Zq. The intuition behind these assignments is that q(i) =∑

j∈Γ^′∆j,S(i)q(j) + ∆0,S(i)q(0) and we are implicitly choosing a random d− 1 degree polynomial q(·) by choosing its value for the d−1 points randomly as q(i) = τi for i ∈ Γ^′, in

(7)

Schemes Key generation (AA) Key generation (KGSP) Decryption (U) Decryption (DSP)

original ABE [1] 2|ω|EXP – 2dP+2dEXP –

outsourced ABE in [2] 2|ω|EXP – EXP 2dP+2dEXP

outsourced ABE in [3] 2|ω|EXP – EXP 2dP+2dEXP

outsourced ABE in this paper 2EXP 2|ω|EXP EXP 2dP+2dEXP

The symbol ‘–’ denotes that this property is not considered in the corresponding scheme.

TABLE II EFFICIENCYCOMPARISON

addition to having q(0) = x− x2. Next, S runs T KAA= KeyGen_in(ω, x2) and KeyBlind(T K = (T K_KGSP, T K_AA)) to obtain SK and gT K. After adding the entry (j, ω, SK,·) into T , return gT K.

– Otherwise, A is type-II adversary. S selects x1 ∈R Zq and computes T KKGSP = KeyGen_out(ω, x1). Meanwhile, it is to simu- late (dθ0, dθ1) = (g^x₂^−x¹(g1h)^r^θ, g^r^θ) by set- ting rθ = ^xy_α and computing (dθ0, dθ1) = (g^−x₂ ¹, g^xy^α). Next, pick t = _y¹ and obtain T K =g {d^ti0, d^t_i1}i∈ω∪{θ}. After adding the entry (j, ω, SK = (t, T K), x1) into T , return gT K.

• OSK: This oracle is only provided with type-I adver- sary (i.e. b = 0). Upon receiving i, if there is an entry (i, ω, SK,·) with |ω ∩ ω^∗| ≥ d in T , S returns SK.

• OOK_KGSP(i): This oracle is only provided with type-II adversary (i.e. b = 1). Upon receiving i, if there is an entry (i, ω, SK, x1) in T , S returns x1.

Challenge. The adversary A will submit two chal- lenge messages M0 and M1 to S. The simulator flips a fair binary coin ν and returns an encryption of Mν. The ciphertext is simulated as CT^∗ = (ω^∗ ∪ {θ}, MνT, g^z, g^−zα,{g^zαⁱ}i∈ω^∗). We note that: i) If µ = 0, then T = e(g, g)^xyz. If we let s = z, then we have C0 = MνT = Mνe(g, g)^xyz = Mνe(g1, g2)^z, C1 = g^z, Eθ = g^−zα = (g1g₁⁻¹g^−α)^z = (g1h)^z and Ei = g^zαⁱ = (g1g₁⁻¹g^αⁱ)^z = (g1hi)^z for i ∈ ω^∗. Therefore, the ciphertext is random encryption of the message Mν

under the attribute set ω^∗. ii) Otherwise, if µ = 1, then T = e(g, g)^v. We then have C0 = M_νe(g, g)^v. Since v is random, C₀ will be a random element in GT from A’s view and the encrypted message contains no information about M_ν.

Phase 2. Phase 1 is repeated with the restriction that A cannot issue private key query on ω in the case b = 0, where|ω ∩ ω^∗| ≥ d.

Guess. A will submit a guess ν^′ of ν. If ν^′ = ν the simulatorS will output µ^′= 0 to indicate that it was given a DBDH-tuple otherwise it will output µ^′ = 1 to indicate it was given a random 4-tuple.

In the case where µ = 1,A has no information about ν.

Therefore, we have Pr[ν̸= ν^′|µ = 1] = ¹₂. SinceS guesses µ^′= 1 when ν ̸= ν^′, we have Pr[µ^′= µ|µ = 1] = ¹₂.

If µ = 0, then the adversary sees an encryption of Mν. It has an advantage ϵ in this situation by definition. Therefore, we have Pr[ν = ν^′|µ = 0] = ¹₂+ ϵ. SinceS guesses µ^′= 0 when ν = ν^′, we have Pr[µ^′= µ|µ = 0] = ¹₂ + ϵ.

Fig. 4. Application in Hybrid Cloud Setting

The overall advantage of S in the DBDH game is

1

2Pr[µ^′ = µ|µ = 0] + ¹₂Pr[µ^′ = µ|µ = 1] − ¹₂ =

1

2(¹₂+ ϵ) +¹₂¹₂−¹₂ = ¹₂ϵ.

Finally, we note that though our construction is CPA- secure, it is allowed to be extended to the stronger RCCA- security guarantee by using simulation-sound NIZK proofs [25]. Alternatively, if we are willing to use random oracle, then we can use standard techniques such as the Fujisaki- Okamoto transformation [26].

F. Practical Consideration

As illustrated in Fig. 4, we can consider to utilize our construction in hybrid clouds. More precisely, KGSP is maintained as a private cloud with high trust to deal with sensitive information, but leaving SSP and DSP as public cloud to provide public storage and computation service respectively. Actually, this type of hybrid setting has become more and more attractive as many organizations are moving to the public cloud due to its benefit of highly available and scalable resources but still want to store and process the critical data in the private cloud.

As shown in Fig. 5, we provide the working process of proposed construction for outsourced key generation and decryption.

In the outsourced key generation shown in Fig. 5(a), AA and KGSP are allowed to parallelly perform computation to produce partial transformation key for customized and default attributes. Specifically, after producing the key pair (OKKGSP, OKAA) with KeyGen_init(ω, M K), two individual phase can be executed simultaneously. i) At KGSP, OKKGSP is involved to generate partial transformation key for customized attribute set ω. ii) At AA, OKAA is involved to generate the other partial transformation key for default attribute θ. The parallel computation is benefit for improving efficiency in key generation for ABE system.

In the outsourced decryption shown in Fig. 5(b), user firstly fetches ciphertext from SSP and computes the inter-

(8)

KGSP AA U

(a) Outsourced Key Generation

DSP U SSP

(b) Outsourced Decryption Fig. 5. Outsourced Key Generation and Decryption

section subset S locally. Therefore, only a partial ciphertext, blinded transformation key and intersection subset need to be delivered to DSP to perform partial decryption.

Alternatively, it allows another scenario, in which after key generation user directly sends his attribute set ω and corresponding blinded transformation key gT K to DSP to be stored. In this case, the DSP performs a role as proxy, who can automatically retrieve ciphertexts that user is interested in and forward to him partially decrypted one. The DSP could be the user’s mail server, or the same entity along with SSP in cloud environment.

V. ANOTHERCONSTRUCTION WITHCHECKABILITY

We observe that in the commercial cloud computing, for saving computation or bandwidththe, CSPs may be selfish to execute only a fraction of delegated operation and return result incorrectly. The dishonest action of CSPs may cause users obtain incorrect keys or messages. We also point out that our first construction provides provable secrecy in the sense that KGSP is maintained as a private cloud with high trust. By this, we mean that an untrusted

KGSP is able to collaborate with user to fake private key to enhance his “power”. More precisely, Suppose a user and the KGSP collude together. They are able to obtain OK_KGSP= x₁ and{dθ0, d_θ1} corresponding to this user.

With this possession, they can generate T K_KGSP^′ for target attribute set ω^′ and joint it with {dθ0, dθ1} to obtain the faked T K^′ . Using this one, ciphertext satisfied by ω^′ can be decrypted.

Therefore, in this section, aiming at providing checkability as well as reducing the trust on KGSP, we propose another construction under the widely used RDoC model.

A. Outsourced ABE in Refereed Delegation of Computation Model

RDoC model originates from the model of refereed games in [27], and is later formalized in [18][28]. In RDoC model, the client is able to interact with multiple servers and it has a right output as long as there exists one server that follows the proposed protocol. One of the most advantages of RDoC over traditional model with single server is that the security risk on the single server is reduced to multiple

(9)

Fig. 6. Adversary Model for Outsourced ABE under RDoC

servers involved in. As the result of both the practicality and utility, RDoC model recently has been widely utilized in the literature of outsourced computation [18][28][29][30][14].

To reduce the trust on KGSP, we will consider the out- sourced ABE system in RDoC model, in which k KGSPs cooperatively work together to provide AA with the key generation service (k−1 are malicious at most). In this case, as the adversary model illustrated in Fig. 6, an additional collusion between user and at most k−1 malicious KGSPs is allowed. Then, the two types adversaries defined in Section III.B are semi-merged together and able to obtain OK_KGSP[i]for malicious KGSP[i], private keys for all the corrupted users, all the blinded transformation keys stored at DSP and so on, where i = 1, 2, . . . , k− 1.

Having this intuition above, we can redefine the security definition of our setting for RDoC model. The challenger will maintain the table T , set D and integer j to provide the adversary with three type of oracles (if RCCA is considered OM(·) should be added).

• OOKKGSP(Ikey, b): Challenger sets j = j + 1 and runs key generation (including key blinding) completely for Ikey to obtain SK,{OKKGSP[i]}^ki=1 and gT K. After adding the entry (j, Ikey, SK,{OKKGSP[i]}^ki=1, gT K) into T , return{OKKGSP[i]}^ki=1,i̸=b.

• O_{T K}_g(i): The challenger checks whether the entry (i, I_key, SK,{OKKGSP[j]}^kj=1, gT K) exists in T , if so return gT K; otherwise return⊥.

• OSK(i): The challenger checks whether the entry (i, Ikey, SK,{OKKGSP[j]}^kj=1, gT K) exists in T , if so set D = D∪ {Ikey} and return SK, otherwise return

⊥.

B. Intuition for Proposed Construction

For simplicity, we only consider and provide the second construction with two KGSPs. The key challenge for our second construction exists in two folds.

• One is how to prevent from the collusion between the user and the malicious KGSP. Our solution is to intelligently extend the hybrid policy trick in the first construction. Specifically, in addition to building an AND gate betweenPAAandPKGSP, we introduce a (2, 2)-secret sharing onPKGSPand make each KGSP only know its own share OKKGSP[i] for i = 1, 2. In this sense, even if user collude with a KGSP and obtain {OKKGSP[i]} for i = 1 or 2, he cannot recover the

secret (which is actually x₁ in our construction) to serve the devil.

• The other is how to detect the dishonest action from KGSPs and DSP beyond collusion. To fight against it, – we extend the idea of “ringer” [4] to our setting to convince that KGSPs do indeed perform all the computations that were outsourced to them. More precisely, AA generates a random value (d− 1)- degree polynomial qRG(·) and sends it along with q_KGSP[i](·) in a random order to KGSP[i]. Each KGSP generates partial transformation key using both qRG(·) and qKGSP[i](·), and AA detects the dishonest action by checking all the partial trans- formation key computed from qRG(·) (to make sure that all the honest KGSPs will obtain the same result from OKRGin a honest computation, the random values {ri} for qRG(·) should be selected by AA in advance).

– In addition, we detect the dishonest action of a malicious DSP by adding redundancy. Specifi- cally, we can require that all the users in the system agree on a redundancy 0^k (i.e., a k-length 0 bit string) and append it with original message in each encryption. Then, after performing complete decryption to obtain the plaintext, the user can detect the dishonest action of DSP by checking the redundency.

C. The Construction under RDoC Model

We provide our second construction with two KGSPs as follows.

• Setup(λ) : It is similar to the same algorithm in our previous construction but an integer k should be agreed in public key. Specifically, the P K = {g, g1, g2, h, h1, . . . , hn, k} and MK = x are output.

• KeyGen_init(ω, M K) : For each user’s private key request on ω, AA picks x11, x12 ∈R Zq and sets OKKGSP[1] = x11, OKKGSP[2] = x12 and OKAA = x2= x−x11−x12 mod q. Next, select (d−1)-degree random polynomials qKGSP[1](·) and qKGSP[2](·) with the restrictions: i) let ω^′ be any (d − 1)-element subset of ω, qKGSP[1](i) = q_KGSP[2](i) for each i ∈ ω^′; ii) q_KGSP[1](0) = x₁₁; iii) q_KGSP[2](0) = x₁₂. Thirdly, to enable convincing the dishonest action of KGSPs later, select another random poly- nomial qRG(·). Furthermore, for each i ∈ ω, pick r_KGSP[1],i, r_KGSP[2],i, rRG,i∈RZqwith the restriction that r_KGSP[1],j = r_KGSP[2],j where j ∈ ω^′. Finally, AA sends (S[1]REAL, SRG) and (S[2]REAL, SRG) to KGSP[1] and KGSP[2] respectively, where the pair S[j]REAL = (q_KGSP[j](·), {rKGSP[j],i}i∈ω) and SRG= (qRG(·), {rRG,i}i∈ω) for j = 1, 2. We empha- size that in the both communications S[·]REAL and SRGshould be sent in random orders to avoid KGSPs knowing which one is really to be computed for partial transformation key.